Described embodiments provide systems and methods for generating a network space to perform mitigation actions on a plurality of users. At least one server may determine a plurality of users of one or more levels of riskiness in a network environment, and network locations of the users. Using a plurality of clustering features, the at least one server may generate a network space comprising a cluster of network locations corresponding to a subset of the users of at least a defined level of riskiness. The at least one server may perform a mitigation action on the subset of users corresponding to the generated network space.

Systems and methods for enhancing the Connectivity Fault Management (CFM) protocol defined in IEEE 802.1Q are provided. In particular, the enhancements include adding a security or safety feature to prevent malicious attacks. A method, according to one implementation, includes the step of operating a Network Element (NE) in a safety mode associated with a link connectivity protocol (e.g., CFM) that involves receiving one or more messages used for detecting link connectivity issues of an Ethernet service in a section of a network and responding to the link connectivity issues. In response to receiving the one or more messages used for detecting link connectivity issues while operating the NE in the safety mode, the method includes the step of storing the one or more messages as one or more untrusted messages in an isolated database of the NE without processing information in the one or more untrusted messages.

A quarantine system could be disposed between an outer firewall and an inner firewall. The quarantine system may include persistent storage containing mappings between computing devices disposed within the inner firewall and data sources disposed outside the outer firewall. The quarantine system may include one or more processors configured to perform operations that include requesting and receiving, based on the mappings, a software-related update from a data source, the software-related update being targeted for deployment on the computing devices. The operations may also include assigning the software-related update for review by a group of one or more agents authorized to approve or reject the software-related update. The operations may also receiving an indication that the software-related update has been approved by the one or more agents and, responsive to receiving the indication, transmitting, based on the mappings, the software-related update to a recipient device within the inner firewall.

In some examples, a method for generating a low data rate signal for transmission from a first network domain to a second network domain, the second network domain logically separated from the first network domain by a firewall, can include encoding a signal from a first device logically positioned within the first network domain to form a data signal, and transmitting the data signal over an out-of-band communications channel from the first network domain to the second network domain.

This disclosure describes methods to distribute intrusion detection in a network across multiple devices in the network, such as across routing/switching or other infrastructure devices. For example, as a packet is routed through a network infrastructure, an overlay mechanism may be utilized to indicate which of a total set of intrusion detection rules have been applied to the packet. Each infrastructure device may evaluate which rules have already been applied to the packet, using a result of the evaluation to determine where to route the packet in the network infrastructure for application of additional intrusion detection rules. Additionally, each infrastructure device may record a result of its application of the portion of intrusion detection rules directly into the packet.

A cloud node in a cloud-based system includes one or more processors and memory storing instructions that, when executed, cause the one or more processors to: communicate with a user associated with a tenant of a plurality of tenants; obtain policy and configuration for the user based on the tenant, from a central authority in the cloud-based system; provide the one or more cloud services to the user, based on the policy and configuration; and crawl one or more cloud providers having a plurality of files for the user, based on the policy and configuration. The cloud node is inline between a user device of the user and the Internet, as well as connected to the one or more cloud providers.

The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to process an incoming request from a client and generate metadata. The network security system is further configured to transmit the incoming request to a cloud application. The network security system is further configured to configure the metadata to expire after an expiration window. The network security system is further configured to receive, after the expiration window, a further incoming request from the client. The further incoming request is directed towards the cloud application and subject to policy enforcement that requires the expired metadata. The network security system is further configured to hold the further incoming request and transmit a synthetic request to the cloud application. The synthetic request is configured to retrieve the expired metadata from the cloud application.

A model-based industrial security policy configuration system implements a plant-wide industrial asset security policy in accordance with security policy definitions provided by a user. The configuration system models the collection of industrial assets for which diverse security policies are to be implemented. An interface allows the user to define zone-specific security configuration and event management policies for a plant environment at a high-level based on a security model that groups the industrial assets into security zones. Based on the model and these policy definitions, the system generates asset-level security setting instructions configured to set appropriate device settings on one or more of the industrial assets to implement the security event management policies, and deploys these instructions to the appropriate assets in order to implement the defined policies.

Disclosed herein is a technique for detecting potential phishing attacks by monitoring outbound web traffic from an endpoint, along with inbound electronic mail traffic addressed to a user of the endpoint. With this information, a search can be performed for possible sources in the web traffic of a request for a hyperlink located in the inbound mail traffic, and when no source is located, phishing remediation can be performed, including restrictions on access to the hyperlink at an endpoint operated by the user.

A method is provided in one example embodiment that includes receiving metadata from a host over a metadata channel. The metadata may be correlated with a network flow and a network policy may be applied to the connection. In other embodiments, a network flow may be received from a host without metadata associated with the flow, and a discovery redirect may be sent to the host. Metadata may then be received and correlated with the flow to identify a network policy action to apply to the flow.